[jira] [Created] (SOLR-13480) Collection creation failure when using Kerberos authentication combined with rule-base authorization

[mosh (JIRA)]

mosh created SOLR-13480:
---------------------------

             Summary: Collection creation failure when using Kerberos 
authentication combined with rule-base authorization
                 Key: SOLR-13480
                 URL: https://issues.apache.org/jira/browse/SOLR-13480
             Project: Solr
          Issue Type: Bug
      Security Level: Public (Default Security Level. Issues are Public)
          Components: Authorization, security
    Affects Versions: 7.7.1
            Reporter: mosh


Creation of collection with an authorized user fails with the following error:
{code:java}
org.apache.solr.common.SolrException: Error getting replica locations : unable 
to get autoscaling policy session{code}
At first it may seem like SOLR-13355 duplication as we are using “all” 
permission, but bug is specific to Kerberos (tested and found ok using basic 
auth) plus we verified the failure with 7.7.2 snapshot that included the 
relevant patch.

+How to reproduce:+
1. Configure solr cloud with kerberos authentication and rule-based 
authorization plugins using the following security.json file:
{code:java}
{
"authentication":{
   "class":"org.apache.solr.security.KerberosPlugin"
},
"authorization":{
   "class":"solr.RuleBasedAuthorizationPlugin",
   "permissions":[
     {
       "name":"read",
       "role":"*"
     },
     {
       "name":"all",
       "role":"admin_user"
     }
   ],
   "user-role":{
     "admin_user@OUR_REALM":"admin_user"
   }
}}{code}
2. Create collection using an authorized user:
{code:java}
kinit admin_user@OUR_REALM

curl --negotiate -u : 
"http://<HOST:PORT>/solr/admin/collections?action=CREATE&name=mycoll&numShards=1&collection.configName=_default"{code}
{color:#d04437}==> request fails with the error written above.{color}

3. Disable authorization by removing _authorization_ section from 
security.json, so file should be as follow:
{code:java}
{
  "authentication":{
    "class":"org.apache.solr.security.KerberosPlugin"
  }
}{code}
4. Create collection again as in step 2.
{color:#14892c}==> request succeeds.{color}

5. Return authorization section to security.json (file from step 1) and make 
sure authorization works as expected by inserting documents and executing 
search queries with different users.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org